Version 1.2
Published: 12/13/2017
Updated: 3/26/2018
This document describes security vulnerabilities that were addressed through software changes. Ghostwriter Bachelorarbeit helped us with the Source Code Fix, which revealed some problems and errors. Source code patches for these issues have been released to the Code Aurora Forum (CAF) and linked from this bulletin. These changes are applicable but not limited to Android for MSM (all Android releases from CAF using the Linux-kernel), Firefox OS for MSM & QRD Android projects. Customers were previously notified of the issues described in this bulletin. Each of the vulnerabilities has an associated security rating. A description of these ratings using v 1.2 of the ratings scheme can be found at the following link.
Please reach out to security-advisory@quicinc.com for any questions related to this bulletin.
Announcements
None.
Acknowledgements
We would like to thank these researchers for their contributions in reporting these issues to us.
| CVE-2017-11032 | haochen (flank3rsky) |
| CVE-2017-8246 | Seven Shen from Trend Micro Mobile Threat Research Team |
| CVE-2017-11028 | Hao Chen |
| CVE-2017-11038, CVE-2017-11042, CVE-2017-11054, CVE-2017-11058, CVE-2017-11085, CVE-2017-11092, CVE-2017-14905, CVE-2017-8244, CVE-2017-9690, CVE-2017-9696, CVE-2017-9702, CVE-2017-9703, CVE-2017-9708, CVE-2017-9718 | Reported to us through Google Android Security team; please see bulletins at https://source.android.com/security/bulletin/ for individual credit information. |
| CVE-2017-11023, CVE-2017-11025, CVE-2017-11044, CVE-2017-8279 | Yonggang Guo (@guoygang) of IceSword Lab, Qihoo 360 Technology Co. Ltd. |
| CVE-2017-9698 | Seven Shen |
| CVE-2017-11024, CVE-2017-11035, CVE-2017-9710 | Jianqiang Zhao(@jianqiangzhao) and pjf(weibo.com/jfpan) of IceSword Lab, Qihoo 360 |
| CVE-2017-11029 | Pengfei Ding <604559863@qq.com> |
| CVE-2017-11033, CVE-2017-9722 | Gengjia Chen (@chengjia4574) and pjf of IceSword Lab, Qihoo 360 Technology Co. Ltd |
| CVE-2017-11007, CVE-2017-11017, CVE-2017-11027, CVE-2017-9701, CVE-2017-9713 | derrek (https://twitter.com/derrekr6) |
| CVE-2017-11030 | Gengjia Chen (@chengjia4574) and pjf(http://weibo.com/jfpan) of IceSword Lab, Qihoo 360Technology Co. Ltd |
| CVE-2017-9721 | Derrek Haxx <derrek.haxx@yahoo.com> |
| CVE-2017-9700 | Yuan-Tsung Lo (computernik@gmail.com), and Xuxian Jiang of C0RE Team (http://c0reteam.org) |
| CVE-2017-11013, CVE-2017-11014, CVE-2017-11015 | Scott Bauer |
| CVE-2017-11031 | Peter Pi of Tencent Security Platform Department |
| CVE-2017-11045 | Yang Dai(huahuaisadog@gmail.com) and Yu Pan (panyu6325@gmail.com) of vulpecker Team, Qihoo 360 Technology Co. Ltd |
| CVE-2017-11073 | wolfu (付敬贵) of Tencent Security Platform Department |
| CVE-2017-11043 | Hao Chen (@flankersky) and Guang Gong (@oldfresher) of Alpha Team, Qihoo 360 Technology Co. Ltd. |
Table of vulnerabilities
</tr
| Public ID | Security Rating | Technology Area | Date Reported |
| CVE-2017-0619 | High | Kernel | Internal |
| CVE-2017-0604 | High | Power | Internal |
| CVE-2017-0621 | High | Camera | Internal |
| CVE-2017-8254 | High | Audio | Internal |
| CVE-2017-0632 | High | Audio | Internal |
| CVE-2017-8234 | High | Camera | Internal |
| CVE-2017-8240 | High | Kernel | Internal |
| CVE-2017-9724 | High | Kernel | Internal |
| CVE-2017-9725 | High | Kernel | Internal |
| CVE-2016-10233 | High | Camera | Internal |
| CVE-2017-11018 | High | Camera | Internal |
| CVE-2017-10996 | High | Kernel | Internal |
| CVE-2017-8255 | High | Boot | Internal |
| CVE-2017-11026 | Medium | Boot | 5/26/2016 |
| CVE-2016-10232 | High | Display | Internal |
| CVE-2017-7366 | High | Graphics_Linux | Internal |
| CVE-2016-10235 | High | WLAN HOST | Internal |
| CVE-2017-11032 | Medium | Kernel | 8/8/2016 |
| CVE-2017-0612 | High | Trusted Execution Environment | Internal |
| CVE-2016-10234 | High | Data HLOS – LNX | Internal |
| CVE-2017-0614 | High | Trusted Execution Environment | Internal |
| CVE-2017-0620 | High | Kernel | Internal |
| CVE-2017-8235 | High | Camera | Internal |
| CVE-2017-0611 | High | Audio | Internal |
| CVE-2017-0607 | High | Audio | Internal |
| CVE-2017-0613 | High | Trusted Execution Environment | Internal |
| CVE-2017-11022 | High | WLAN HOST | 11/7/2016 |
| CVE-2017-8253 | High | Camera | Internal |
| CVE-2017-8238 | High | Camera | Internal |
| CVE-2017-0626 | Critical | Trusted Execution Environment | Internal |
| CVE-2016-10286 | High | Display | Internal |
| CVE-2017-7373 | High | Display | Internal |
| CVE-2017-0609 | High | Audio | Internal |
| CVE-2017-8239 | High | Camera | Internal |
| CVE-2017-0631 | High | Camera | Internal |
| CVE-2017-0610 | High | Audio | Internal |
| CVE-2017-7371 | High | BTHOST | Internal |
| CVE-2017-8256 | High | WLAN HOST | Internal |
| CVE-2017-10998 | High | Audio | Internal |
| CVE-2017-9716 | High | Biometrics | Internal |
| CVE-2017-8246 | Medium | Audio | Internal |
| CVE-2017-11028 | Medium | Camera | 2/17/2017 |
| CVE-2017-14895 | High | WLAN HOST | Internal |
| CVE-2017-8278 | High | Audio | Internal |
| CVE-2017-8244 | Medium | Video | 3/1/2017 |
| CVE-2017-11025 | Medium | Audio | 3/1/2017 |
| CVE-2017-8279 | Medium | Services | 3/6/2017 |
| CVE-2017-9698 | Medium | Graphics_Linux | 3/23/2017 |
| CVE-2017-9710 | Medium | Data HLOS – LNX | 3/23/2017 |
| CVE-2017-11029 | Medium | Camera | 3/28/2017 |
| CVE-2017-11023 | Medium | Services | 4/5/2017 |
| CVE-2017-9696 | Medium | Camera | 4/6/2017 |
| CVE-2017-11019 | Medium | Display | Internal |
| CVE-2017-11024 | Medium | WiredConnectivity | 4/10/2017 |
| CVE-2017-11033 | Medium | Kernel | 4/11/2017 |
| CVE-2017-9713 | Medium | WLAN HOST | 4/13/2017 |
| CVE-2017-11038 | Medium | Boot | 4/14/2017 |
| CVE-2017-9722 | Medium | Display | 4/17/2017 |
| CVE-2017-11030 | Medium | Display | 4/17/2017 |
| CVE-2017-9702 | Medium | Camera | 4/24/2017 |
| CVE-2017-9703 | Medium | Camera | 4/25/2017 |
| CVE-2017-11016 | High | Audio | Internal |
| CVE-2017-9701 | Medium | Boot | 4/26/2017 |
| CVE-2017-9721 | Medium | Display | 4/27/2017 |
| CVE-2017-9719 | High | Display | 5/4/2017 |
| CVE-2017-9700 | Medium | Audio | 5/8/2017 |
| CVE-2017-9690 | Medium | Biometrics | 5/10/2017 |
| CVE-2017-9718 | Medium | Video | 5/11/2017 |
| CVE-2017-14897 | High | Trusted Execution Environment | Internal |
| CVE-2017-14898 | High | WLAN HOST | Internal |
| CVE-2017-14899 | High | WLAN HOST | Internal |
| CVE-2017-11017 | High | Boot | 6/2/2017 |
| CVE-2017-11027 | Medium | Boot | 6/2/2017 |
| CVE-2017-11035 | Medium | WLAN HOST | 6/2/2017 |
| CVE-2017-11013 | Critical | WLAN HOST | 6/8/2017 |
| CVE-2017-14900 | High | WLAN HOST | Internal |
| CVE-2017-11031 | Medium | Display | 6/9/2017 |
| CVE-2017-14901 | High | WLAN HOST | Internal |
| CVE-2017-11014 | Critical | WLAN HOST | 6/13/2017 |
| CVE-2017-11045 | Medium | Camera | 6/13/2017 |
| CVE-2017-11015 | Critical | WLAN HOST | 6/14/2017 |
| CVE-2017-14905 | Medium | WLAN HOST | 6/14/2017 |
| CVE-2017-11054 | Medium | WLAN HOST | 6/14/2017 |
| CVE-2017-11058 | Medium | WLAN HOST | 6/14/2017 |
| CVE-2017-14902 | High | Qualcomm IPC | Internal |
| CVE-2017-11044 | Medium | Graphics_Linux | 6/19/2017 |
| CVE-2017-11073 | Medium | WLAN HOST | 6/21/2017 |
| CVE-2017-11043 | High | WLAN HOST | 6/27/2017 |
| CVE-2017-11007 | High | Boot | 6/28/2017 |
| CVE-2017-11042 | Medium | Telephony | 7/3/2017 |
| CVE-2017-11092 | High | Graphics_Linux | 7/17/2017 |
| CVE-2017-11085 | Medium | Audio | 7/17/2017 |
| CVE-2017-9708 | Medium | Multimedia | 7/25/2017 |
CVE-2017-0619
| CVE ID | CVE-2017-0619 |
| Title | Incorrect Calculation of Buffer Size in Kernel |
| Description | The pinctrl driver allocates a buffer for function name field which does not take into account the string terminating character. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-0604
| CVE ID | CVE-2017-0604 |
| Title | Incorrect Calculation of Buffer Size in Power |
| Description | Insufficient memory allocation for BCL attribute which could result in out of bounds access. |
| Technology Area | Power |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-0621
| CVE ID | CVE-2017-0621 |
| Title | Untrusted pointer dereference in Flash probe |
| Description | Camera Flash will fail due to improper pointer dereference in probe when the driver type is PMIC. |
| Technology Area | Camera |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-8254
| CVE ID | CVE-2017-8254 |
| Title | Use After Free in Audio |
| Description | An audio client pointer is dereferenced before being checked if it is valid. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-0632
| CVE ID | CVE-2017-0632 |
| Title | Buffer Over-read in Audio |
| Description | In msm8x16_wcd_codec_enable_micbias, in strnstr function, the 3rd argument is hardcoded, leading to out of bounds access. |
| Technology Area | Audio |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-8234
| CVE ID | CVE-2017-8234 |
| Title | Buffer Over-read Vulnerability in Camera |
| Description | An out of bounds access can potentially occur in a camera function. |
| Technology Area | Camera |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-8240
| CVE ID | CVE-2017-8240 |
| Title | Buffer Over-read Vulnerability in Kernel |
| Description | A kernel driver has an off-by-one buffer over-read vulnerability. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-9724
| CVE ID | CVE-2017-9724 |
| Title | Untrusted Pointer Dereference in Kernel |
| Description | User-level permissions can be used to gain access to kernel memory, specifically the ION cache maintenance code is writing to a user supplied address. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-9725
| CVE ID | CVE-2017-9725 |
| Title | Improper Input Validation in Kernel |
| Description | During DMA allocation, due to wrong data type of size, allocation size gets truncated which makes allocation succeed when it should fail. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2016-10233
| CVE ID | CVE-2016-10233 |
| Title | Improper Input Validation in Camera |
| Description | Improper input validation can lead to integer overflow in the camera driver. |
| Technology Area | Camera |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-11018
| CVE ID | CVE-2017-11018 |
| Title | Buffer Copy without Checking Size of Input in Camera |
| Description | Array access out of bounds may occur in the camera driver in the kernel |
| Technology Area | Camera |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-10996
| CVE ID | CVE-2017-10996 |
| Title | String Errors in Kernel |
| Description | A non NULL-terminated string can lead to memory violation/out of bounds access. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-133 String Errors |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-8255
| CVE ID | CVE-2017-8255 |
| Title | Integer Overflow or Wraparound in UEFI |
| Description | An integer overflow vulnerability exists in boot. |
| Technology Area | Boot |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-11026
| CVE ID | CVE-2017-11026 |
| Title | Improper Authorization in Boot |
| Description | While flashing FRP partition using reference FRP unlock, authentication method can be compromised for static keys. |
| Technology Area | Boot |
| Vulnerability Type | CWE-285 Improper Authorization |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/26/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2016-10232
| CVE ID | CVE-2016-10232 |
| Title | Format String Vulnerability in Display |
| Description | Format specifiers in sscanf calls were not specified correctly in MDSS. |
| Technology Area | Display |
| Vulnerability Type | CWE-134 Format String Vulnerability |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-7366
| CVE ID | CVE-2017-7366 |
| Title | Improper Input Validation in Graphics |
| Description | A KGSL ioctl was not validating all of its parameters. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2016-10235
| CVE ID | CVE-2016-10235 |
| Title | Improper Input Validation in WLAN |
| Description | A VHT80 mode IBSS may stop beaconing when a HT40 peer joins its BSS. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-11032
| CVE ID | CVE-2017-11032 |
| Title | Double Free in Kernel |
| Description | A double free can occur when a memory allocation fails in the service-locator driver. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 8/8/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-0612
| CVE ID | CVE-2017-0612 |
| Title | NULL Pointer Dereference in SafeSwitch |
| Description | Providing large input/output buffer sizes while invoking SafeSwitch related IOCTLs can lead to a NULL pointer dereference. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-476 NULL Pointer Dereference |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2016-10234
| CVE ID | CVE-2016-10234 |
| Title | Improper input validation in IPA IOCTL IPA_IOC_NAT_DMA |
| Description | In the IPA IOCTL IPA_IOC_NAT_DMA ioctl handler, an array access out of bounds can occur. |
| Technology Area | Data HLOS – LNX |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 1/10/2017 |
| Patch |
CVE-2017-0614
| CVE ID | CVE-2017-0614 |
| Title | Possible buffer overflows when loading image |
| Description | A TOCTOU race condition could lead to a buffer overrun. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-0620
| CVE ID | CVE-2017-0620 |
| Title | Integer overflow to buffer overflow in scm_call |
| Description | Possible integer overflow followed by buffer overflow in scm_call as inputs are not validated properly. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-8235
| CVE ID | CVE-2017-8235 |
| Title | Use After Free Vulnerability in Camera |
| Description | A memory structure in a camera driver is not properly protected. |
| Technology Area | Camera |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-0611
| CVE ID | CVE-2017-0611 |
| Title | Possible integer overflow to buffer overflow in q6asm_memory_map_regions |
| Description | If userspace passes a very large value of buffer_count to q6asm_memory_map_regions, the large value could overflow, resulting in too-small buffer allocation, and a later buffer overflow. |
| Technology Area | Audio |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-0607
| CVE ID | CVE-2017-0607 |
| Title | Possible stack-out-of-bounds in ion_handle_get_size() function |
| Description | A possible stack-out-of-bound during audio use cases, when variable pointed by pointer “pa_len” is accessed in function ion_handle_get_size(). |
| Technology Area | Audio |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-0613
| CVE ID | CVE-2017-0613 |
| Title | Possible buffer overflow in qseecom_send_service_cmd |
| Description | Buffer overflow when qseecom_send_svc_cmd_req message’s request buffer length is larger than shared buffer length. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-11022
| CVE ID | CVE-2017-11022 |
| Title | Information Exposure in WLAN |
| Description | The probe requests originated from user’s phone contains the information elements which specifies the supported wifi features. This shall impact the user’s privacy if someone sniffs the probe requests originated by this DUT. Hence, control the presence of information elements using ini file. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Network |
| Security Rating | High |
| Date Reported | 11/7/2016 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-8253
| CVE ID | CVE-2017-8253 |
| Title | Improper Validation of Array Index in Camera |
| Description | Kernel memory can potentially be overwritten if an invalid master is sent from userspace. |
| Technology Area | Camera |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-8238
| CVE ID | CVE-2017-8238 |
| Title | Buffer Copy without Checking Size of Input in Camera |
| Description | A buffer overflow vulnerability exists in a camera function. |
| Technology Area | Camera |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-0626
| CVE ID | CVE-2017-0626 |
| Title | Cryptographic Issues in QCE Driver |
| Description | SW key may be leaked during crypto operation using HW CE. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-310 Cryptographic Issues |
| Access Vector | Local |
| Security Rating | Critical |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2016-10286
| CVE ID | CVE-2016-10286 |
| Title | Android Display Driver validation failure cleanup errors |
| Description | During atomic commit – validate failures, the newly allocated pipes and pipes taken from the destroy list are cleaned up. Currently pipe ndx is checked which can lead to cleaning up the already in use multi-rect instead of the rect allocated in the current validate. |
| Technology Area | Display |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-7373
| CVE ID | CVE-2017-7373 |
| Title | Double Free Vulnerability in Display |
| Description | A double free vulnerability exists in a display driver. |
| Technology Area | Display |
| Vulnerability Type | CWE-415 Double Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-0609
| CVE ID | CVE-2017-0609 |
| Title | Possible user-controlled kernel memory read/write in msm_cpe_lsm_ioctl_compat |
| Description | User may access kernel memory without check in msm_cpe_lsm_ioctl_compat. |
| Technology Area | Audio |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-8239
| CVE ID | CVE-2017-8239 |
| Title | Information Exposure Vulnerability in Camera |
| Description | Userspace-controlled parameters for flash initialization are not sanitized potentially leading to exposure of kernel memory. |
| Technology Area | Camera |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-0631
| CVE ID | CVE-2017-0631 |
| Title | Kernel buffer over-read if power up setting size is larger than max |
| Description | If powerup setting is larger than MAX_POWER_CONFIG and CONFIG_COMPAT is not enabled, a buffer over-read occurs. |
| Technology Area | Camera |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-0610
| CVE ID | CVE-2017-0610 |
| Title | Unvalidated return value from copy_from_user in msm_pcm_playback_copy |
| Description | Iif a copy_from_user fails, no action will be taken to handle it gracefully. |
| Technology Area | Audio |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 2/14/2017 |
| Patch |
CVE-2017-7371
| CVE ID | CVE-2017-7371 |
| Title | Use After Free Vulnerability in Bluetooth |
| Description | A data pointer is potentially used after it has been freed when SLIMbus is turned off by Bluetooth. |
| Technology Area | BTHOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 3/14/2017 |
| Patch |
CVE-2017-8256
| CVE ID | CVE-2017-8256 |
| Title | Improper Input Validation in WLAN |
| Description | Array out of bounds access can occur if userspace sends more than 16 multicast addresses. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-129 Improper Validation of Array Index |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-10998
| CVE ID | CVE-2017-10998 |
| Title | Integer Overflow or Wraparound in Audio |
| Description | In audio_aio_ion_lookup_vaddr, the buffer length, which is user input, ends up being used to validate if the buffer is fully within the valid region. If the buffer length is large enough then the address + length operation could overflow and produce a result far below the valid region. |
| Technology Area | Audio |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-9716
| CVE ID | CVE-2017-9716 |
| Title | Improper Access Control in TrustZone |
| Description | The qbt1000 driver implements an alternative channel for usermode applications to talk to QSEE applications. |
| Technology Area | Biometrics |
| Vulnerability Type | CWE-284 Improper Access Control |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-8246
| CVE ID | CVE-2017-8246 |
| Title | Use-After-Free in ALSA PCM Playback Kernel Module |
| Description | In function msm_pcm_playback_close(), prtd is assigned substream->runtime->private_data. Later, prtd is freed. However, prtd is not sanitized and set to NULL, resulting in a dangling pointer. There are other functions that access the same memory (substream->runtime->private_data) with a NULL check, such as msm_pcm_volume_ctl_put(), which means this freed memory could be used. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 4/11/2017 |
| Patch |
CVE-2017-11028
| CVE ID | CVE-2017-11028 |
| Title | Information Exposure in Camera |
| Description | In the ISP Camera driver, the contents of an arbitrary kernel address can be leaked to userspace by the function msm_isp_get_stream_common_data(). |
| Technology Area | Camera |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 2/17/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-14895
| CVE ID | CVE-2017-14895 |
| Title | Update target name from hif after SSR |
| Description | After a subsystem reset, iwpriv is not giving correct information. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-8278
| CVE ID | CVE-2017-8278 |
| Title | Integer Overflow or Wraparound in Audio |
| Description | While reading audio data from driver, buffer overflow or integer overflow occurs. |
| Technology Area | Audio |
| Vulnerability Type | CWE-190 Integer Overflow or Wraparound |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 6/5/2017 |
| Patch |
CVE-2017-8244
| CVE ID | CVE-2017-8244 |
| Title | Buffer overflow in msm_vidc debugfs driver core_info_read and inst_info_read |
| Description | In core_info_read and inst_info_read variable “dbg_buf”, “dbg_buf->curr” and “dbg_buf->filled_size” could be modified by different threads at the same time, but they are not protected with mutex or locks. Buffer overflow is possible on race conditions. “buffer->curr” itself could also be overwritten, which means that it may point to anywhere of kernel memory (for write). |
| Technology Area | Video |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/1/2017 |
| Customer Notified Date | 5/9/2017 |
| Patch |
CVE-2017-11025
| CVE ID | CVE-2017-11025 |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Audio |
| Description | Due to a race condition in the function audio_effects_shared_ioctl(), memory corruption can occur. |
| Technology Area | Audio |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/1/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-8279
| CVE ID | CVE-2017-8279 |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Core |
| Description | Missing race condition protection while updating msg mask table can lead to buffer over-read. Also access to freed memory can happen while updating msg_mask information. |
| Technology Area | Services |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/6/2017 |
| Customer Notified Date | 6/5/2017 |
| Patch |
CVE-2017-9698
| CVE ID | CVE-2017-9698 |
| Title | Integer Overflow to Buffer Overflow in Graphics |
| Description | Improperly specified offset/size values for a submission command could cause a math operation to overflow and could result in an access to arbitrary memory. The combined pointer will overflow and possibly pass further checks intended to avoid accessing unintended memory. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/23/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-9710
| CVE ID | CVE-2017-9710 |
| Title | Buffer Copy without Checking Size of Input in Data |
| Description | IOCTL interface to send QMI NOTIFY REQ messages can be called from multiple contexts which can result in buffer overflow of msg cache. |
| Technology Area | Data HLOS – LNX |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/23/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-11029
| CVE ID | CVE-2017-11029 |
| Title | Buffer Copy without Checking Size of Input in Camera |
| Description | Camera application triggers “user-memory-access” issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in user space. An unchecked userspace value (ioctl_ptr->len) is used to copy contents to a kernel buffer which can lead to kernel buffer overflow. |
| Technology Area | Camera |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 3/28/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11023
| CVE ID | CVE-2017-11023 |
| Title | Buffer Copy without Checking Size of Input in Core |
| Description | There is a possibility of out-of-bound buffer accesses due to no synchronization in accessing global variables by multiple threads. |
| Technology Area | Services |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/5/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-9696
| CVE ID | CVE-2017-9696 |
| Title | Buffer Over-read in Camera |
| Description | Buffer over-read is possible in camera driver function msm_isp_stop_stats_stream. Variable stream_cfg_cmd->num_streams is from userspace, and it is not checked against “MSM_ISP_STATS_MAX”. |
| Technology Area | Camera |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/6/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-11019
| CVE ID | CVE-2017-11019 |
| Title | Use After Free in Display |
| Description | The fd allocated during the get_metadata was not closed even though the buffer allocated to the fd was freed. This resulted in a failure during exit sequence. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | Internal |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11024
| CVE ID | CVE-2017-11024 |
| Title | Use After Free in Core |
| Description | A race condition in the rmnet USB control driver can potentially lead to a Use After Free condition. |
| Technology Area | WiredConnectivity |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/10/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11033
| CVE ID | CVE-2017-11033 |
| Title | Use After Free in Kernel |
| Description | In the coresight-tmc driver, a simultaneous read and enable of the ETR device after changing the buffer size may result in a Use After Free condition of the previous buffer. |
| Technology Area | Kernel |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/11/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-9713
| CVE ID | CVE-2017-9713 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | If userspace provides a too-large WPA RSN IE length in wlan_hdd_cfg80211_set_ie, a buffer overflow occurs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/13/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-11038
| CVE ID | CVE-2017-11038 |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Boot |
| Description | While processing the boot image header, range checks can be bypassed by supplying different versions of the header at the time of check and use. |
| Technology Area | Boot |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/14/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-9722
| CVE ID | CVE-2017-9722 |
| Title | Buffer Copy without Checking Size of Input in Display |
| Description | When updating custom EDID (hdmi_tx_sysfs_wta_edid), if edid_size, which is controlled by userspace, is too large, a buffer overflow occurs. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/17/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11030
| CVE ID | CVE-2017-11030 |
| Title | Use of Out-of-range Pointer Offset in Display |
| Description | In the HDMI video driver function hdmi_edid_sysfs_rda_res_info(), userspace can perform an arbitrary write into kernel memory. |
| Technology Area | Display |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/17/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-9702
| CVE ID | CVE-2017-9702 |
| Title | Untrusted Pointer Dereference in Camera |
| Description | A user-space pointer is directly accessed in a camera driver. |
| Technology Area | Camera |
| Vulnerability Type | CWE-822 Untrusted Pointer Dereference |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/24/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-9703
| CVE ID | CVE-2017-9703 |
| Title | Use After Free in Camera |
| Description | A race condition in a Camera driver can lead to a Use After Free condition. |
| Technology Area | Camera |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/25/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-11016
| CVE ID | CVE-2017-11016 |
| Title | Use After Free in Audio |
| Description | When memory allocation fails while creating a calibration block in create_cal_block stale pointers are left uncleared. |
| Technology Area | Audio |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-9701
| CVE ID | CVE-2017-9701 |
| Title | Use of Uninitialized Variable in Boot |
| Description | While processing OEM unlock/unlock-go fastboot commands data leak may occur, resulting from writing uninitialized stack structure to non-volatile memory. |
| Technology Area | Boot |
| Vulnerability Type | CWE-457 Use of Uninitialized Variable |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/26/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-9721
| CVE ID | CVE-2017-9721 |
| Title | Buffer Copy without Checking Size of Input in Display |
| Description | In the boot loader, a buffer overflow can occur while parsing the splash image. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 4/27/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-9719
| CVE ID | CVE-2017-9719 |
| Title | Buffer Copy without Checking Size of Input in Display |
| Description | In the kernel driver MDSS, a buffer overflow can occur in HDMI CEC parsing if frame size is out of range. |
| Technology Area | Display |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 5/4/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-9700
| CVE ID | CVE-2017-9700 |
| Title | Use of Out-of-range Pointer Offset in Audio |
| Description | Buffer overwrite is possible in fw_name_store if image name is 64 characters. |
| Technology Area | Audio |
| Vulnerability Type | CWE-823 Use of Out-of-range Pointer Offset |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/8/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-9690
| CVE ID | CVE-2017-9690 |
| Title | Integer Overflow to Buffer Overflow in Core |
| Description | In a qbt1000 ioctl handler, an incorrect buffer size check has an integer overflow vulnerability potentially leading to a buffer overflow. |
| Technology Area | Biometrics |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/10/2017 |
| Customer Notified Date | 7/3/2017 |
| Patch |
CVE-2017-9718
| CVE ID | CVE-2017-9718 |
| Title | Time-of-check Time-of-use (TOCTOU) Race Condition in Multimedia |
| Description | A race condition in a multimedia driver can potentially lead to a buffer overwrite. |
| Technology Area | Video |
| Vulnerability Type | CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 5/11/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-14897
| CVE ID | CVE-2017-14897 |
| Title | Improper access while checking rpmb provision status |
| Description | While handling the QSEOS_RPMB_CHECK_PROV_STATUS_COMMAND, a userspace buffer is directly accessed in kernel space. |
| Technology Area | Trusted Execution Environment |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-14898
| CVE ID | CVE-2017-14898 |
| Title | Buffer overrun vulnerability in txpower scale vendor command |
| Description | While processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE contains fewer than 1 byte, a buffer overrun occurs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-14899
| CVE ID | CVE-2017-14899 |
| Title | Buffer overrun vulnerability in txpower scale decr db vendor command |
| Description | While processing the QCA_NL80211_VENDOR_SUBCMD_SET_TXPOWER_SCALE_DECR_DB vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_TXPOWER_SCALE_DECR_DB contains fewer than 1 byte, a buffer overrun occurs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11017
| CVE ID | CVE-2017-11017 |
| Title | Buffer Copy without Checking Size of Input in Boot |
| Description | While flashing a specially crafted UBI image, it is possible to corrupt memory, or access uninitialized memory. |
| Technology Area | Boot |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 6/2/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11027
| CVE ID | CVE-2017-11027 |
| Title | Information Exposure in Boot |
| Description | While flashing UBI image, size is not validated for being smaller than minimum header size causing unintialized data access vunerability. |
| Technology Area | Boot |
| Vulnerability Type | CWE-200 Information Exposure |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/2/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11035
| CVE ID | CVE-2017-11035 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | Possible buffer overflow or information leak due to incorrect initialization of callbacks and lack of the checks for buffer size. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/2/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11013
| CVE ID | CVE-2017-11013 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | In a WiFi driver, a stack overflow can occur as there is no boundary check against an array bound. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 6/8/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-14900
| CVE ID | CVE-2017-14900 |
| Title | Buffer overrun vulnerability in get chain RSSI vendor command |
| Description | While processing the QCA_NL80211_VENDOR_SUBCMD_GET_CHAIN_RSSI vendor command, in which attribute QCA_WLAN_VENDOR_ATTR_MAC_ADDR contains fewer than 6 bytes, a buffer overrun occurs. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11031
| CVE ID | CVE-2017-11031 |
| Title | Use After Free in Display |
| Description | The VIDIOC_G_SDE_ROTATOR_FENCE ioctl command can be used to cause a Use After Free condition. |
| Technology Area | Display |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/9/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-14901
| CVE ID | CVE-2017-14901 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | A buffer overflow can occur in a vendor command. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11014
| CVE ID | CVE-2017-11014 |
| Title | Buffer Copy without Checking Size of Input in WLAN |
| Description | While parsing a Measurement Request IE in a Roam Neighbor Action Report, a buffer overflow can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 6/13/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11045
| CVE ID | CVE-2017-11045 |
| Title | Use After Free in Camera |
| Description | In a camera driver function, a race condition exists which can lead to a Use After Free condition. |
| Technology Area | Camera |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/13/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11015
| CVE ID | CVE-2017-11015 |
| Title | Stack-based Buffer Overflow in WLAN |
| Description | In a WiFi driver, a buffer overflow can occur while parsing a frame. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-121 Stack-based Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | Critical |
| Date Reported | 6/14/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-14905
| CVE ID | CVE-2017-14905 |
| Title | Potential buffer over-read in WLAN driver when configuring MAC addresses |
| Description | While processing a specially crafted cfg80211 vendor command, a buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/14/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-11054
| CVE ID | CVE-2017-11054 |
| Title | Buffer Over-read in WLAN |
| Description | While processing a specially crafted cfg80211 vendor command, a buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/14/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-11058
| CVE ID | CVE-2017-11058 |
| Title | Buffer Over-read in WLAN |
| Description | While processing a specially crafted cfg80211 vendor command, a buffer over-read can occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-126 Buffer Over-read |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/14/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-14902
| CVE ID | CVE-2017-14902 |
| Title | Use After Free in GLink kernel driver |
| Description | Due to a race condition in the GLink kernel driver, a Use After Free condition can potentially occur. |
| Technology Area | Qualcomm IPC |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | Internal |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11044
| CVE ID | CVE-2017-11044 |
| Title | Use After Free in Graphics |
| Description | In a KGSL driver function, a race condition exists which can lead to a Use After Free condition. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/19/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11073
| CVE ID | CVE-2017-11073 |
| Title | Improper Input Validation in WLAN |
| Description | The qcacld pktlog allows mapping memory via /proc/ath_pktlog/cld to user space. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-20 Improper Input Validation |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 6/21/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11043
| CVE ID | CVE-2017-11043 |
| Title | Integer Overflow to Buffer Overflow in WLAN |
| Description | An a WiFI driver function, an integer overflow leading to heap buffer overflow may potentially occur. |
| Technology Area | WLAN HOST |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | AdjacentNetwork |
| Security Rating | High |
| Date Reported | 6/27/2017 |
| Customer Notified Date | 9/1/2017 |
| Patch |
CVE-2017-11007
| CVE ID | CVE-2017-11007 |
| Title | Buffer Copy without Checking Size of Input in Boot |
| Description | There is a possibility of stack corruption due to buffer overflow of Partition name while converting ascii string to unicode string in function HandleMetaImgFlash. |
| Technology Area | Boot |
| Vulnerability Type | CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’) |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 6/28/2017 |
| Customer Notified Date | 8/7/2017 |
| Patch |
CVE-2017-11042
| CVE ID | CVE-2017-11042 |
| Title | Permissions, Privileges, and Access Controls in IMS |
| Description | ImsService and the IQtiImsExt AIDL APIs are not subject to access control. |
| Technology Area | Telephony |
| Vulnerability Type | CWE-264 Permissions, Privileges, and Access Controls |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/3/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-11092
| CVE ID | CVE-2017-11092 |
| Title | Use After Free in Graphics |
| Description | In the KGSL driver function kgsl_ioctl_gpu_command, a Use After Free condition can potentially occur. |
| Technology Area | Graphics_Linux |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | High |
| Date Reported | 7/17/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
|
CVE-2017-11085
| CVE ID | CVE-2017-11085 |
| Title | Integer Overflow to Buffer Overflow in Audio |
| Description | An integer overflow leading to a buffer overflow due to improper bound checking in msm_audio_effects_virtualizer_handler, file msm-audio-effects-q6-v2.c |
| Technology Area | Audio |
| Vulnerability Type | CWE-680 Integer Overflow to Buffer Overflow |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/17/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
CVE-2017-9708
| CVE ID | CVE-2017-9708 |
| Title | Use After Free in Camera |
| Description | A race condition could lead to a use-after-free condition in the camera driver. |
| Technology Area | Multimedia |
| Vulnerability Type | CWE-416 Use After Free |
| Access Vector | Local |
| Security Rating | Medium |
| Date Reported | 7/25/2017 |
| Customer Notified Date | 10/2/2017 |
| Patch |
Industry Coordination
Security ratings of issues included in Android security
bulletins and these bulletins match in the most common scenarios but may
differ in some cases due to one of the following reasons:
- Consideration of security protections such as SELinux not enforced on some platforms
- Differences in assessment of some specific
scenarios that involves local denial of service or privilege escalation
vulnerabilities in the high level OS kernel
Version History
| Version | Date | Comments |
| 1.0 | December 13, 2017 | Bulletin Published |
| 1.1 | February 9, 2018 | Bulletin updated |
| 1.2 | March 26, 2018 | Removed duplicate instance of CVE-2017-11035 |